http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html describes how a malicious site can use onerror and <script src="..."> to determine whether you're logged into another site. Loading an HTML page using <script src="..."> usually triggers a syntax error, but the exact error and line number depend on the HTML.
Firefox could prevent this kind of attack on most sites by giving less information to the onerror handler when a script loaded from another site has a syntax error. I doubt this would break any sites other than ones trying to determine whether you're logged into another site.
I imagine that this could be done either by throwing same-origin exceptions when the site tries to access certain fields of the object passed to the onerror handler. But it would probably be simpler to give the onerror handler an object that contains fewer details about the error. The full syntax error could still be shown in the Error Console.

Comment on attachment 271141[details][diff][review]
Don't give error handlers error info for xorigin errors.
I asked Johnny if the filename could potentially leak information as well (due to redirects if logged in) and it looks like we'll compile the script with whatever URI was passed in the src= attribute as the filename.

Created attachment 351093[details][diff][review]
1.8-branch version
Version for 1.8 branch. The only minor change (besides context) is getting the nsIScriptObjectPrincipal from globalObject directly instead of from "win", a nsPIDOMWindow QI'd from globalObject that isn't used on the 1.8 branch.

(In reply to comment #15)
> Checked into 1.8.1.19 relbranch after verifying the fix in a tinderbox run
> (mac).
The win32 builds that shipped today for Firefox 2.0.0.19 do not contain this fix. We accidentally shipped the first build we did, rather than the respin which took this fix. Not sure what to do with the keywords to capture this.

(In reply to comment #22)
> Nick, did you ship the FIREFOX_2_0_0_19_BUILD1 tag or has the
> FIREFOX_2_0_0_19_RELEASE tag not properly pushed forward?
The FIREFOX_2_0_0_19_RELEASE tag was moved forward to match FIREFOX_2_0_0_19_BUILD2

Note

You need to
log in
before you can comment on or make changes to this bug.